0

I have searched for so many different solutions and I have not found anything, I am hoping that I can find the solution here.

We are configuring a new VPN, our old VPN is set up as an IKEv1 VPN, it works fine, the new one doesn't, it can establish a connection between the other site, but a tunnel is not established.

The previous vpn was not setup by me and I copied a lot of the config and changed it where required.

We authenticate using a preshared key.

The output of ipsec statusall: (please note addresses have been modified for privacy reasons)

root@vpn:/etc# ipsec statusall
Status of IKE charon daemon (strongSwan 5.9.5, Linux 5.15.0-58-generic, x86_64):
  uptime: 3 minutes, since Jan 23 14:32:53 2023
  malloc: sbrk 3620864, mmap 0, used 1815424, free 1805440
  worker threads: 11 of 16 idle, 5/0/0/0 working, job queue: 0/0/0/0, scheduled: 6
  loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs8 pkcs12 pgp dnskey sshkey pem openssl gcrypt af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac ctr ccm gcm ntru drbg curl attr kernel-netlink resolve socket-default connmark forecast farp stroke vici updown eap-identity eap-aka eap-md5 eap-gtc eap-mschapv2 eap-dynamic eap-radius eap-tls eap-ttls eap-peap eap-tnc xauth-generic xauth-eap xauth-pam tnc-tnccs dhcp lookip error-notify certexpire led addrblock unity counters
Listening IP addresses:
  192.168.0.211
  10.134.64.121
Connections:
    ciscoios:  10.134.64.116...81.111.21.70  IKEv2
    ciscoios:   local:  [10.134.64.116] uses pre-shared key authentication
    ciscoios:   remote: [81.111.21.70] uses pre-shared key authentication
    ciscoios:   child:  10.134.64.116/32 === 81.111.21.70/32 TUNNEL
Security Associations (1 up, 1 connecting):
    ciscoios[12]: ESTABLISHED 16 seconds ago, 10.134.64.116[10.134.64.116]...81.111.21.70[81.111.21.70]
    ciscoios[12]: IKEv2 SPIs: 02ccd980723c33b0_i 8c41914c7d9e5c2d_r*, pre-shared key reauthentication in 23 hours
    ciscoios[12]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    ciscoios[1]: CONNECTING, 10.134.64.116[10.134.64.116]...81.111.21.70[81.111.21.70]
    ciscoios[1]: IKEv2 SPIs: 9e1ac75ad8f910c4_i* 0000000000000000_r
    ciscoios[1]: IKE proposal: AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
    ciscoios[1]: Tasks active: IKE_VENDOR IKE_INIT IKE_NATD IKE_CERT_PRE IKE_AUTH IKE_CERT_POST IKE_CONFIG CHILD_CREATE IKE_AUTH_LIFETIME IKE_MOBIKE

ipsec.secrets:

10.134.64.116  81.111.21.70 : PSK "ourprivatekey"

ipsec.conf:

config setup
    # strictcrlpolicy=yes
        uniqueids = yes
    charondebug = "ike 4, knl 2, cfg 2, chd 2, dmn 2, lib 2, net 2, esp 3"

conn %default
    ikelifetime=86400s
    keylife=60m
    ########rekey=no
    ########rekeymargin=3m
    ########keyingtries=1
    ########keyingtries=%forever
    keyexchange=ikev2
    authby=secret
conn ciscoios
    type=tunnel
    auto=start
#   auto=add
    compress=no
    left=10.134.64.116
    leftsubnet=10.134.64.116/32
    leftid=10.134.64.116
    leftfirewall=yes
    right=81.111.21.70
    rightsubnet=81.111.21.70/32
    rightid=81.111.21.70
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256-modp2048!
#   keyexchange=ike
#   leftauth=psk
#   rightauth=psk

IP Tables:

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -s 192.168.0.0/24 -i enp5s0 -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4500 -j ACCEPT
-A INPUT -p udp -m udp --dport 4500 -j ACCEPT
-A INPUT -j LOG --log-prefix "[FW INPUT]:    "
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -s 192.168.0.0/24 -i enp5s0 -o enp2s0 -m conntrack --ctstate NEW -j ACCEPT
-A FORWARD -j LOG --log-prefix "[FW FORWARD]: "
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -o enp2s0 -j ACCEPT
-A OUTPUT -d 192.168.0.0/24 -o enp5s0 -j ACCEPT
-A OUTPUT -j LOG --log-prefix "[FW OUTPUT]:   "

It is basically a carbon copy of our old VPN which worked on IKEv1, I made the required changes to addressing and so on, unfortunately I just cannot establish a tunnel.

If anyone can help it would be much appreciated.

ReeceAB
  • 1
  • There is an IKE_SA established successfully (as responder). The one as initiator apparently not (or not yet). And there is no CHILD_SA for either. The latter could be because of the `left|rightsubnet` configuration, the `type` (i.e. IPsec mode) or the `esp` proposal. Please check (or post) the log. – ecdsa Jan 24 '23 at 09:19

0 Answers0